release upgrader launches browser as root

Bug #1174007 reported by omichalek
280
This bug affects 5 people
Affects Status Importance Assigned to Milestone
ubuntu-release-upgrader (Ubuntu)
Fix Released
Low
Unassigned
Trusty
Fix Released
Low
Unassigned
Xenial
Fix Released
Low
Unassigned
Artful
Fix Released
Low
Unassigned
Bionic
Fix Released
Low
Unassigned

Bug Description

1. I launch Software Updater, then choose "Upgrade..." to initiate the 13.04 upgrade
2. I am asked fot password
3. A window with release notes pops up

PROBLEM:
4. I click the URL to view release notes
5. A pop-up window complains "Chromium cannot be run as root." (despite Firefox being my default browser)
6. Firefox is launched as root

EXPECTED:
Software Center should honour my default browser and definitely not run it as root.

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: software-center 5.4.1.4
Uname: Linux 3.9.0-030900rc8-generic x86_64
ApportVersion: 2.6.1-0ubuntu10
Architecture: amd64
Date: Sun Apr 28 18:06:34 2013
InstallationDate: Installed on 2012-11-02 (176 days ago)
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Release amd64 (20121017.5)
MarkForUpload: True
PackageArchitecture: all
SourcePackage: software-center
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
omichalek (omichalek) wrote :
Revision history for this message
omichalek (omichalek) wrote :

I am attaching animation of the steps

affects: software-center (Ubuntu) → update-manager (Ubuntu)
Changed in update-manager (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
summary: - Software updater launches browser as root
+ release upgrader launches browser as root
affects: update-manager (Ubuntu) → ubuntu-release-upgrader (Ubuntu)
Revision history for this message
skierpage (skierpage) wrote :

The exact same thing happens with the 13.04 -> 13.10 updater. I already had Firefox running. From the Release Notes window, clicking
  To see what's new in this release, visit:
   http://www.ubuntu.com/desktop/features
brings up same alert about Chromium, and starts a new Firefox window running as root.

This also happens when you click the other links in the Release Notes window, e.g. "community/participate".

Revision history for this message
Teo (teo1978) wrote :

WTF two f***ing years later and still not fixed.

Exact same issue upgrading from 15.04 to 15.10

Also note that launching the browser as root is a huge SECURITY issue, how can the importance possibly be just "medium"??

Revision history for this message
Michael Farrell (micolous) wrote :

This is still an issue in 17.04. I've flipped this to being a security issue so hopefully it will get the attention it deserves.

$ ps aux | grep firefox
root 4497 12.8 1.0 2211388 347188 ? SNl 10:07 0:03 /usr/lib/firefox/firefox https://wiki.ubuntu.com/ArtfulAardvark/ReleaseNotes

information type: Public → Public Security
Changed in ubuntu-release-upgrader (Ubuntu):
importance: Medium → Low
Revision history for this message
Jed Davis (jld-moz) wrote :

FYI, this is going to break in Firefox 60.

Running Firefox like this (as root in a non-root user's session) has never officially been supported, due to the risk of creating root-owned files that the user can't delete, potentially being a privilege escalation vector, etc. However, this hasn't been enforced.

Until now. There are sandboxing changes coming in 60 that will, as a side effect, break "sudo firefox"-type use. Currently the browser UI will start but fail to load anything, but that's not very helpful for understanding what went wrong, so the plan is to refuse to start and print an error message; see https://bugzilla.mozilla.org/show_bug.cgi?id=1323302

Changed in ubuntu-release-upgrader (Ubuntu Trusty):
status: New → Confirmed
Changed in ubuntu-release-upgrader (Ubuntu Xenial):
status: New → Confirmed
Changed in ubuntu-release-upgrader (Ubuntu Artful):
status: New → Confirmed
Changed in ubuntu-release-upgrader (Ubuntu Bionic):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-release-upgrader - 1:18.04.15

---------------
ubuntu-release-upgrader (1:18.04.15) bionic; urgency=medium

  * Fix long line causing pep8 failure in autopkgtest.

 -- Marc Deslauriers <email address hidden> Sat, 07 Apr 2018 10:57:08 -0400

Changed in ubuntu-release-upgrader (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-release-upgrader - 1:16.04.25

---------------
ubuntu-release-upgrader (1:16.04.25) xenial-security; urgency=medium

  * Properly drop permissions when opening a browser. (LP: #1174007)

 -- Marc Deslauriers <email address hidden> Mon, 09 Apr 2018 10:01:24 -0400

Changed in ubuntu-release-upgrader (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-release-upgrader - 1:0.220.10

---------------
ubuntu-release-upgrader (1:0.220.10) trusty-security; urgency=medium

  * Properly drop permissions when opening a browser. (LP: #1174007)

 -- Marc Deslauriers <email address hidden> Mon, 09 Apr 2018 10:01:24 -0400

Changed in ubuntu-release-upgrader (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-release-upgrader - 1:17.10.11

---------------
ubuntu-release-upgrader (1:17.10.11) artful-security; urgency=medium

  * Properly drop permissions when opening a browser. (LP: #1174007)

 -- Marc Deslauriers <email address hidden> Mon, 09 Apr 2018 10:01:24 -0400

Changed in ubuntu-release-upgrader (Ubuntu Artful):
status: Confirmed → Fix Released
Mathew Hodson (mhodson)
Changed in ubuntu-release-upgrader (Ubuntu Artful):
importance: Undecided → Low
Changed in ubuntu-release-upgrader (Ubuntu Xenial):
importance: Undecided → Low
Changed in ubuntu-release-upgrader (Ubuntu Trusty):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.